Author: adam

Cool Tools Series: NMAP for Penetration Tests
In Scottie’s recent Cool Tools blog about discovery tools, he, like many network penetration testers, starts with Nmap. Nmap is a great discovery tool with many flags and scripts. In this post, I will expand upon Scottie’s ideas and delve more deeply into what Nmap has to offer, specifically for network penetration testing.

Hosts Marked as Down When They Are Up

If you find you have problems with Nmap flagging hosts as down, even though they should be up, I would recommend adding these flags to your command:
- -PS – SYN ping scan. You can optionally add a port number after this.
- –PA – ACK ping scan. You can optionally add a port number after this.
- -PE – Typical ICMP ping echo request, typically blocked by firewalls.
- -PP – ICMP timestamp ping query, which can sometimes get around misconfigured firewalls.
- -PM – ICMP subnet mask ping query, also good for evading misconfigured firewalls.
- -PO -This issues an IP protocol ping, which seems to work a lot of times when other probes don’t.
Putting that all together, my typical scans are now starting to look like this:
```
sudo nmap -oA [output] -sSUV --unique --resolve-all -PS -PA -PE -PP -PM -PO -T4 -O -p T:-,U:53,161 -vv -iL [targets]
```
Some other options present here:
- -oA [output] – Output in all file formats simultaneously.
- -sSUV – Combo of -sS (TCP SYN scan), -sU (UDP scan), and -sV (service version scanning).
- –unique – Scan each IP only once (e.g. if raxis.com resolves to 1.1.1.1, and both are targets, only scan 1.1.1.1 once).
- –resolve-all – If an DNS name resolves to multiple IPs, scan each IP.
- -T4 – Go a bit faster than default, recommended for modern networks (unless you’re trying to be quiet).
- -O – Try to determine operating system.
- -p T:-,U:53,161 – Scan all TCP ports as well as UDP ports 53 (DNS) and 161 (SNMP).
- -vv – Be very verbose in output.
- -iL [targets] – Use the targets in the specified file.
Additionally, when using -oA, if your scan gets interrupted, you can use this to resume the scan where it left off:
```
nmap --resume
```
The Nmap Scripting Engine

The Nmap Scripting Engine (NSE) provides 604 scripts and 139 libraries at the time I’m writing this. That number grows each year, so, needless to say, this is a very useful tool for penetration testers or for blue teams checking out possible vulnerabilities in their systems. I’ll discuss some Useful NSE scripts here, and I encourage you to take a look to see if there are others that would be helpful for your needs.

Shodan
- Queries the Shodan API for the targets. Follow the instructions on the NSE site to setup a Shodan API key.
```
nmap --script shodan-api [IP Range] -sn -Pn -n --script-args 'shodan-api.outfile=potato.csv,shodan-api.apikey=SHODANAPIKEY'
nmap --script shodan-api --script-args 'shodan-api.target=[IP],shodan-api.apikey=SHODANAPIKEY'
```
Server Message Block (SMB)
- Check if SMB signing is disabled:
```
nmap --script smb-security-mode -p445 [IP]
```
File Shares
- Attempt to enumerate SMB shares:
```
nmap --script smb-enum-shares -p445 [IP]
```
- Show NFS Shares (Exports):
```
nmap -sV --script=nfs-showmount [IP List or Range]
```
- Attempt to get useful information from NFS shares (mimics an -ls command):
```
nmap -p 111 --script=nfs-ls [IP List or Range]
nmap -sV --script=nfs-ls [IP List or Range]
```
Databases
- Attempts to find configuration and version info for a Microsoft SQL Server instance:
```
nmap -p 445 --script ms-sql-info [IP]
nmap -p 1433 --script ms-sql-info --script-args mssql.instance-port=1433 [IP]
```
- Looks for MySQL servers with an empty password for root or anonymous:
```
nmap -sV --script=mysql-empty-password [IP]
```
Domain Name Server (DNS)
- Perform DNS Cache Snooping:
```
nmap -sU -p 53 --script dns-cache-snoop --script-args 'dns-cache-snoop.mode=timed,dns-cache-snoop.domains={host1,host2,host3}' [IP]
```
- Checks DNS anti-spam and open proxy blacklists to see if an IP has been flagged:
```
nmap --script dns-blacklist --script-args='dns-blacklist.ip=[IP]'
nmap -sn [IP] --script dns-blacklist
```
Virtual Private Network (VPN)
- Checks if the host is vulnerable to the Cisco ASA SSL VPN Authentication Bypass Vulnerability:
```
nmap -p 443 --script http-vuln-cve2014-2128 [IP]
```
Network Time Protocol (NTP)
- Shows an NTP server’s monitor data:
```
sudo nmap -sU -pU:123 -Pn -n --script=ntp-monlist [IP]
```
Remote Access
- Attempts to brute-force a VNC server:
```
nmap --script vnc-brute -p 5900 [IP]
```
- Discovers the security layer and encryption level that is supported by a RDP service:
```
nmap -p 3389 --script rdp-enum-encryption <ip>
```
Network Protocols
- Attempts to brute-force a POP3 account:
```
nmap -sV --script=pop3-brute [IP]
```
- Attempts to brute-force a telnet server:
```
nmap -p 23 --script telnet-brute --script-args userdb=myusers.lst,passdb=mypwds.lst,telnet-brute.timeout=8s [IP]
```
Java
- Attempts to dump all objects from a remote RMI registry:
```
nmap --script rmi-dumpregistry -p 1098 [IP]
nmap --script rmi-dumpregistry -sV --version-all -p 443 [IP]
```
Weak Ciphers & Algorithms
- Enumerates all web ciphers that a server accepts:
```
nmap -sV --script ssl-enum-ciphers -p 443 <host>
```
- Finds the number of algorithms the SSH2 server offers (or lists them with verbosity set):
```
nmap --script ssh2-enum-algos [IP]
```
Certificates
- Displays the server’s SSL certificate. Set verbosity to add more details:
```
nmap --script=ssl-cert -p 443 [IP]
```
Http
- Checks if HTTP TRACE is enabled:
```
nmap --script http-trace -d [IP]
```
July 30, 2024
OWASP Top 10: The Bedrock of an Application Penetration Test

When performing a web app, mobile app, or API penetration test, many companies, including Raxis, refer to the OWASP Top 10. Here we’ll discuss what that means and why it’s helpful.

A History

The OWASP (Open Worldwide Application Security Project) Foundation is a non-profit organization with chapters worldwide. OWASP formed in 2001, and the first OWASP Top 10 was released in 2003.

While OWASP is best known for their Top 10 list, they have several other projects as well and host conferences around the world encouraging people interested in application development and cybersecurity to come together. All of their tools, documentation, and projects are free and open to all who are interested in improving application security.

OWASP states their vision as “No more insecure software,” and all of their efforts aid in that goal.

OWASP released their first Top 10 list in 2003 and continued with a new list every three years for about a decade. Updates have become less less frequent as web application security has matured. The most recent Top 10 list was released in 2021 and before that in 2017.

More Than Just a Web App Top 10 List

While the OWASP Top 10 list focuses mostly on web applications (and sometimes mobile applications, which share a number of similarities with web applications), in the last five years, OWASP has begun releasing a Top 10 list for APIs as well. An API (Application Programming Interface) contains functions that allow internal or external applications to contact the system for viewing and sometimes editing data. As such, APIs have a number of differences from web and mobile applications when it comes to keeping systems secure.

The OWASP API Security Top Ten was first released in 2019 with an update every other year, the most current in 2023. While there is some overlap with the application Top 10 list, this list focuses solely on APIs.

Updates to the Top 10 Lists

Updates to the Top 10 lists often combine vulnerabilities as cybersecurity professionals come to realize the items are related and best corrected in the same ways. As applications become more complex, OWASP has added new items to their lists as well.

Why a Top 10 List?

Knowing that application developers often have a lot of goals and limited time, and keeping with their vision of “no more insecure software,” OWASP releases its Top 10 list to give developers a succinct guide to follow within their SDLC (Software Development Lifecycle) process.

The items in the list are broad ideas that can be used in all parts of the planning, coding, and testing phases for applications. This encourages developers to build in security features early in the design phase as well as to find and add security measures later.

From a penetration testing perspective, the OWASP Top 10 list is also helpful. While malicious hackers have all the time in the world and don’t care if they crash systems and servers, penetration testers aim to discover as much as possible within an affordable time-boxed test without causing harm to an organization’s systems.

The OWASP Top 10 allows penetration testers to prioritize testing using agreed upon standards. This way customers receive the information needed to secure vulnerabilities in their applications and the knowledge that the controls they have in place are working correctly or need to be corrected. This doesn’t mean that penetration testers don’t examine other findings, but, within a time-boxed test, penetration testers attempt to focus first on the most critical risks.

How OWASP Creates the Top 10 List

On their website, OWASP explains their methodology for creating the OWASP Top 10 list, with eight categories from contributed data and two from a community survey. Contributed data is based on past vulnerabilities, while the survey aims to bring in new risks that may not have been fleshed out entirely in the cybersecurity world yet but that appear to be on the horizon and becoming key exposures.

The team also prioritized root causes over symptoms on this newest Top 10 list. The team has extensive discussions about all of the gathered CWEs in order to rank them by Exploitability, Detectability, and Technical impact. The move from CVSSv2 to CVSSv3 also played a role, as there have been multiple improvements in CVSSv3, but it takes time to convert CWEs to the new framework.

^{Source: https://owasp.org/www-project-top-ten/}

A Look at the 2021 OWASP Top 10

The most recent Top 10 list, released in 2021, added three new categories, merged a few categories, and changed the priority of several categories. Though some risks were merged, no risks were entirely removed. Here’s a look at the current OWASP Top 10 Risks (Source: https://owasp.org/www-project-top-ten):

A01:2021 Broken Access Control moves up from the fifth position; 94% of applications were tested for some form of broken access control. The 34 Common Weakness Enumerations (CWEs) mapped to Broken Access Control had more occurrences in applications than any other category. Raxis published a blog about A01:2021 just after the Top 10 list was released that year. Take a look at OWASP TOP 10: Broken Access Control for more details.

A02:2021 Cryptographic Failures shifts up one position to #2, previously known as Sensitive Data Exposure, which was broad symptom rather than a root cause. The renewed focus here is on failures related to cryptography, which often leads to sensitive data exposure or system compromise.

A03:2021 Injection slides down to the third position. 94% of the applications were tested for some form of injection, and the 33 CWEs mapped into this category have the second most occurrences in applications. Cross-site Scripting is now part of this category in this edition. Raxis published a blog about A03:2021 just after the Top 10 list was released that year. Take a look at 2021 OWASP Top 10 Focus: Injection Attacks for more details.

A04:2021 Insecure Design is a new category for 2021, with a focus on risks related to design flaws. If we genuinely want to “move left” as an industry, it calls for more use of threat modeling, secure design patterns and principles, and reference architectures.

A05:2021 Security Misconfiguration moves up from #6 in the previous edition; 90% of applications were tested for some form of misconfiguration. With more shifts into highly configurable software, it’s not surprising to see this category move up. The former category for XML External Entities (XXE) is now part of this category.

A06:2021 Vulnerable and Outdated Components was previously titled Using Components with Known Vulnerabilities and is #2 in the Top 10 community survey, but also had enough data to make the Top 10 via data analysis. This category moves up from #9 in 2017 and is a known issue that we struggle to test and assess risk. It is the only category not to have any Common Vulnerability and Exposures (CVEs) mapped to the included CWEs, so a default exploit and impact weights of 5.0 are factored into their scores.

A07:2021 Identification and Authentication Failures was previously Broken Authentication and is sliding down from the second position, and now includes CWEs that are more related to identification failures. This category is still an integral part of the Top 10, but the increased availability of standardized frameworks seems to be helping.

A08:2021 Software and Data Integrity Failures is a new category for 2021, focusing on making assumptions related to software updates, critical data, and CI/CD pipelines without verifying integrity. One of the highest weighted impacts from Common Vulnerability and Exposures/Common Vulnerability Scoring System (CVE/CVSS) data mapped to the 10 CWEs in this category. Insecure Deserialization from 2017 is now a part of this larger category.

A09:2021 Security Logging and Monitoring Failures was previously Insufficient Logging & Monitoring and is added from the industry survey (#3), moving up from #10 previously. This category is expanded to include more types of failures, is challenging to test for, and isn’t well represented in the CVE/CVSS data. However, failures in this category can directly impact visibility, incident alerting, and forensics.

A10:2021 Server-Side Request Forgery is added from the Top 10 community survey (#1). The data shows a relatively low incidence rate with above average testing coverage, along with above-average ratings for Exploit and Impact potential. This category represents the scenario where the security community members are telling us this is important, even though it’s not illustrated in the data at this time.

What This Means for Your Application

Raxis recommends including application security from the initial stages of your SDLC process. The OWASP Top 10 lists are a great starting point to enable developers to do that.

When scheduling your web application, mobile application, and API penetration tests, you can rely on Raxis to use the OWASP Top 10 lists as a guide.

April 23, 2024
Meet the Team: Adam Fernandez, Lead Developer

Hi, everyone! I’m Adam Fernandez, and it’s my turn to introduce myself as part of the Raxis Meet the Team series. So, I spoke to our marketing specialist, and we talked about my how I came to be a security professional. (As it turns out, I started down that path early in life). I certainly enjoy working with this team and, if you think you might also, read on and then check out our careers page or subscribe to our YouTube channel.

Jim: Adam, you’ve done a lot penetration tests, but your title is Lead Developer. What’s going on there?

Adam: I started out at Raxis as a penetration tester when I joined the company in 2017, but I also enjoy developing software, testing devices, and taking apart and building new ones. One of the great things about working for Raxis is that our leaders understand how those skills complement each other, and I have a lot of flexibility to work on new and advanced projects in addition to helping with pentesting engagements.

Jim: As I understand it, you came to Raxis from an entirely different career field, right?

Adam: That’s right. I actually studied stage management and lighting design at Kennesaw State University. In fact, theater was the focus of much of my time at Woodstock High School in Woodstock, GA as well as in college.

I started out as a stagehand, moving a ladder on and off stage. But I really wanted to work with sound and lighting, so I started learning as much as I could about that through YouTube videos, the Internet, and books my mom bought for me. I also sought out internships in Seattle, where I lived in the summers, and worked on the production of Sweeney Todd at SecondStory Reparatory Theater.

Jim: Did that help spur your interest in development?

Adam: In a way. As I transitioned into stage management, I knew that the sound and lighting people needed a better system for taking their cues, and my high school couldn’t afford an expensive solution. I really believed that was something I could figure out. So, I built a device to let them know what they were supposed to be doing when. Then I sold it to the school for $350.

Jim: That’s pretty amazing for a student, but you didn’t stop there, right?

Adam: No, I also wanted the theater department to have its own website to manage membership dues and ticket sales, so I created the whole thing from scratch. It was the ugliest site ever, but the school paid me $500 per year to manage it.

Jim: Sounds like you were a bit of an entrepreneur as well.

Adam: Well, I did create my first company at KSU. I developed software that would automate the audition process with searchable applications and headshots. The school paid me to manage events, but there was a rule that prevented them from paying students directly, so I had to create a company to make it all legit.

Jim: So, how did you move from doing events at KSU to penetration testing?

Adam: Well, I was also a student assistant at KSU for the Facilities Manager, Brad Herring, who ended up leaving KSU to go to work with Raxis and is now VP of Business Development. After he’d been here a while, he told me, “I think you’d be really good at pentesting, and I want you to talk to our CEO.” Brad’s always been a mentor to me and one of my best friends, so I took his advice and had lunch with him and (Raxis CEO) Mark Puckett. Before I knew it, I was working in a fascinating new field that I loved.

Jim: What is it about cybersecurity that’s interesting to you? How did you make that leap?

Adam: Looking back on it, security really wasn’t a leap at all. I remember as a small child, having an intense interest in padlocks and how they worked. I asked for a safe for Christmas one year. Then, it was spy gadgets, alarms, and games. My stepdad was a software developer, and, at a very young age, he helped me make a program that required you to enter a certain color sequence to unlock the app.

Now, I’m intrigued by using software to control things in the real world, which is why I love the IoT and figuring out how various devices work. In fact, I have an electronic access keycard system at my house. It’s antiquated, but I bought it in part so that I could reverse engineer it and learn how it works.

Jim: Do you get to work with devices at Raxis?

Adam: Yes, we have our Transporter that we use to do remote pentesting, and we recently bought the Boscloner company. That’s a very advanced badge-cloning device. Of course, with more and more devices online, IoT security is becoming a lot more important every day.

Jim: What’s your favorite part about working with Raxis?

Adam: I love having the ability to introduce new ideas and not only have them heard but also make them a reality. And Raxis just feels like family. Theatre was like that too, but this feels way more genuine.

August 27, 2021
Realistically Assessing the Threat of Clickjacking Today
Clickjacking is an easily preventable but sometimes difficult to understand vulnerability. In this article, we’re going to talk about the different ways this vulnerability can be exploited, the associated risk, and how to defend yourself against these types of attacks.

Let’s start with an explanation of how this attack works.

What is Clickjacking?

At its core, clickjacking is an attack that is made possible when the web application does not implement the proper protections against embedding its pages in an iframe. An attacker leverages this behavior to “hijack” a user’s click and trick them into executing an action in their account.

I’ve set up an instance of bWAPP, an intentionally vulnerable web application by ITSec Games, that will allow us to look at a clickjacking attack in practice. Our vulnerable web application is running at “bwapp.raxis.local,” and you’ll see this reflected in the screenshots and sample code below.

Finding a Target

The first thing we’ll need to do is find a page we can target. When looking for a page that might be vulnerable to clickjacking, it should allow for an action that meets three criteria:
- It can be executed in a single click (or very few);
- It affects a logged in user; and
- It could have an undesirable effect on the user or the organization.
It looks like our vulnerable web application has a page that meets all three criteria:

This page allows authenticated users to purchase movie tickets in a single click with a default of 10 tickets. No confirmation is required, and without manipulating the forms on this page, this will result in an unwanted purchase of €150 worth of movie tickets.

This behavior might seem unlikely to exist in the wild, but there are many different types of susceptible pages, from order confirmations like this to functionalities allowing a user to delete entire databases. Some of these susceptible pages may even incorporate parameters in the URL, which can be passed by an attacker. For example, an application might use a URL like the one below to create an order confirmation page dynamically:
```
http://example.com/order/confirm?product=jetski&quantity=10&payment=saved
```
Checking for Clickjacking Protections

Now that we have our target page, let’s look at how to use it in an attack.

The first thing we need to determine is whether the target page can be embedded in an iframe. While there are several methods of doing this, the easiest and most reliable by far is to try to embed a target page into an iframe on an attacker-controlled web page and see if it works. Let’s code up the web page now.

As we can see, there’s nothing very complex to this code. It’s a barebones HTML file, which includes an iframe referencing the page we want to embed. Let’s open up our HTML file in our browser and see if this works.

The web page loads into the iframe without issue. We can also see that, since we were already logged in to bWAPP, our session carried over.

Executing the Attack

Now that we have a good idea that the page is vulnerable, all we have left to do is code up a page designed to trick the user into clicking the Confirm button and convince the user into visiting to our malicious page.

To build this malicious page, we’re going to construct an enticing user interface:

Then, we’ll stick the iframe on top and align the Confirm button with the View button. I’ve made the iframe partially transparent in the screenshot below so you can see the multiple layers.

And finally, we’ll make the iframe completely transparent so that the user doesn’t even know that it’s there.

Now, when the user clicks the view button, they’ll actually be clicking the invisible Confirm button and purchasing 10 movie tickets, provided they’re logged in to their account.

Mission accomplished.

Here is the code that I threw together quickly for the purposes of this demo:

Perhaps the trickiest part of this attack is coming up with a method that will get users to go to our malicious page. An attacker might:
- Post a link to the malicious page in social media
- Email a malicious link to a user or group of users
- Embed a link in a QR code
- Attach the malicious HTML file to an email
- Leverage another vulnerability such as cross-site scripting (XSS) or open redirection
When Clickjacking isn’t Clickjacking

Let’s look at a different style of attack that’s popular among some penetration testers. This attack embeds a login page and places input elements on top of the login fields:

The overlaid fields are shown in blue for this article but would normally be completely invisible to the user. When a user fills out this form and submits it, the login request is instead sent to an attacker-controlled server, giving the attacker access to the user’s unencrypted credentials. You can read more about this style of attack here.

But is this type of attack really considered clickjacking? It involves an embedded iframe and overlays, but it is drastically different from our previous example. To determine this, let’s put ourselves into the mindset of an attacker.

As an attacker, our goal here is to capture as many credentials as reliably as possible while evading detection. There are at least two approaches we can take:
- Embed the target login page in a malicious HTML page as shown in the proof of concept, or
- Clone the HTML code of the login page and modify the form to send to a malicious server
These approaches are very similar. Both require hosting the page on a malicious web server, both require misleading the user into visiting a malicious link, and both redirect user input to a malicious server. Both approaches even run the same risk of the malicious web server being reported, blocked, or shut down.

However, when embedding the login page, there are additional factors that the attacker must consider:
- The target login page may already have clickjacking protections in place;
- The target login page could be altered, breaking the malicious page;
- The target login page could implement clickjacking protections, breaking the malicious page;
- The target login page cannot be easily modified by the attacker;
- It’s possible for the target page to determine and report the URL of the malicious page; and
- The malicious page may not look or function correctly if the window is resized
When considering the large number of downsides of using an iframe and overlay elements to conduct this attack, it is extremely unlikely that an attacker would attempt to execute it through clickjacking. Far more likely is that an attacker would simply clone the login page using a myriad of freely available tools designed to do exactly this.

Implementing protections against clickjacking would not stop this attack from occurring. Instead, the attacker would simply clone or recreate the page, which cannot be prevented. The proof of concept itself is also a stretch from the commonly agreed upon definition of clickjacking. For these reasons, Raxis in most cases no longer considers this type of attack to be clickjacking. Instead, we label this as a misconfigured security-related header, which continues to inform the customer of the small but perceptible risk, without blowing what’s essentially a non-exploitable vulnerability out of proportion.

Protecting Against Clickjacking

Despite the complex nature of a clickjacking attack and its reliance on phishing, developers should still take a layered approach to protecting their applications from this type of attack. This can be done by properly configuring two response headers and by properly setting flags on cookies.

Content-Security-Policy

For the uninitiated, Content-Security-Policy is a highly versatile header which can offer a large amount of protection to the end user when configured properly. You can generate one at https://report-uri.com/home/generate, and verify your existing one at https://csp-evaluator.withgoogle.com/.

To prevent pages from being embedded in iframes, we can use the frame-ancestors directive. Here’s a few ways this can be properly implemented:
- Content-Security-Policy: frame-ancestors ‘none’ – Prohibits the page from being embedded anywhere
- Content-Security-Policy: frame-ancestors ‘self’ – Allows the page to be embedded on the same domain only (exclusive of subdomains)
- Content-Security-Policy: frame-ancestors https://*.raxis.local https://raxis.local – Allows the page to be embedded on raxis.local and any of its subdomains
X-Frame-Options

X-Frame-Options used to be the primary line of defense against iframe embedding but has since been made obsolete by the frame-ancestors directive. Unless, of course, your users are using any version of Internet Explorer. To cover all our bases and take off this 1.1% of users, we need to add this header for legacy purposes. Configure this header in one of the following ways:
- X-Frame-Options: DENY – Prevent the page from being embedded anywhere
- X-Frame-Options: SAMEORIGIN – Allow the page to be embedded on the same domain only
Cookie Attribute – SameSite

A relatively new cookie attribute, SameSite, can also help protect against clickjacking by restricting the conditions in which cookies (such as a session token or JWT) are sent by the browser.

As of mid-2020, SameSite is set to Lax by default when the attribute is not set in Set-Cookie. This value prevents cookies from being sent in iframes, which essentially breaks any clickjacking attack that relies on the user being logged in.

To use the SameSite attribute as an additional layer of protection against clickjacking, configure the SameSite attribute on your session-related cookies to one of the following values:
- SameSite=Strict – No cross-site cookies, ever
- SameSite=Lax – Cross-site cookies only when the user is navigating to the original site
Since Lax is the default, you can leave this value unconfigured, but it’s a best practice to explicitly configure it as one of the above values, both from a documentation and security standpoint.

You can read more about the SameSite attribute at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite.

Side Note: Setting SameSite to Strict or Lax also helps defend against cross-site request forgery (CSRF) attacks.
May 28, 2021
So, I Hacked a Tesla . . .
Tesla deserves great credit for bringing electric vehicles into the mainstream. Say what you will about Elon Musk, his vision is proving wildly successful in a space where many others have failed.

Even so, if the two of us could have a conversation, I’d probably recommend that the company invest more time and resources in cybersecurity for its vehicles.

Here’s why:

Recently I decided to see how easy it would be for my personal Tesla to be hacked — and stolen. As you will see in the video below, with some commonly used tactics, it was relatively quick and easy.

The attack demonstrated in the video relies on phishing to get the victim’s credentials. At that point, the hacker has complete control and can do pretty much whatever they wish — including unlocking the car and driving away.

The video demonstrates why, if you’re not careful, your Tesla could be compromised and stolen without a lot of effort from the attacker.

Until the company itself adds more protection, it’s up to you to take some basic precautions. By the way, it’s wise to follow these practices no matter if it’s your Tesla, your bank account, your Twitter feed, or any online account.
- Stay vigilant and question any WiFi network that asks you to connect.
- Never give account information, credentials, or access tokens to a third party unless it is absolutely necessary.
- Every account you create should have a unique and strong password. Every. Single. Account.
- If your account is compromised, immediately reset your password and let the company or companies know.
Here at Raxis, we offer a broad range of services to help find security vulnerabilities within your organization. And though a typical penetration test would not uncover this type of vulnerability, a Raxis red team assessment could.

Our red team assessments tests your organization’s security from top to bottom and end to end to uncover any way your network can be compromised by a skilled and determined attacker. If you are ready to take control of your company’s security, contact us and let us see how we can help.
December 11, 2020